This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
cfe/trunk/
-
trunk/
-
lib/StaticAnalyzer/
-
StaticAnalyzer/
-
Checkers/
-
CStringChecker.cpp
-
Core/
-
CallEvent.cpp
-
test/Analysis/
-
Analysis/
-
call-invalidation.cpp
-
malloc.c

Differential D19057

[analyzer] Let TK_PreserveContents span across the whole base region.
ClosedPublic

Authored by NoQ on Apr 13 2016, 7:16 AM.

Download Raw Diff

Details

Reviewers

dcoughlin
zaks.anna

Commits

rG70247e69b1f1: [analyzer] Let TK_PreserveContents span across the whole base region.
rC267413: [analyzer] Let TK_PreserveContents span across the whole base region.
rL267413: [analyzer] Let TK_PreserveContents span across the whole base region.

Summary

Essentially, if s is a structure, and foo(const void *) is evaluated conservatively, then foo(&s) does not invalidate s, but foo(&(s.x)) invalidates the whole s, because the store only looks at traits of base regions (inside binding keys), and s.x is a field region.

This patch represents the idea that only whole base regions should carry the TK_PreserveContents trait. This also makes a bit of sense, because no matter what pointer arithmetic we do with a const pointer, it's still a const pointer. There's an extra complication with mutable fields in C++ classes, which i neither added nor fixed here.

In CallEvent.cpp below the changed code there's a FIXME comment, but i'm not sure what it means; if anybody thinks it means exactly what this patch is about, then i'd have to update it :)

What i don't like about the approach this patch implements, is that it makes the core rely on an implementation detail of RegionStoreManager ("only base regions are relevant" is such implementation detail). Instead, i also tried to add a few extra virtual methods into the StoreManager to avoid this problem, but it made the patch much heavier. I can post that, unless anybody else thinks that it's a natural thing (rather than implementation detail) to propagate this trait to base regions.

Instead, it should be possible to auto-replace the region with a base region inside setTrait() and hasTrait() methods.

Diff Detail

Repository: rL LLVM

Event Timeline

NoQ updated this revision to Diff 53551.Apr 13 2016, 7:16 AM

NoQ retitled this revision from to [analyzer] Let TK_PreserveContents span across the whole base region..

NoQ updated this object.

NoQ added reviewers: zaks.anna, dcoughlin.

NoQ added a subscriber: cfe-commits.

xazax.hun added a subscriber: xazax.hun.Apr 14 2016, 5:25 AM

LGTM!

One thing to be aware here is that a const pointer could be deleted, so we should be able to delete a parent object without a warning. (I think that should work with this patch since you don't change the trait, but you might want to add a test.)

What i don't like about the approach this patch implements, is that it makes the core rely on an
implementation detail of RegionStoreManager ("only base regions are relevant" is such implementation
detail). Instead, i also tried to add a few extra virtual methods into the StoreManager to avoid this
problem, but it made the patch much heavier. I can post that, unless anybody else thinks that it's a
natural thing (rather than implementation detail) to propagate this trait to base regions.

I'd commit this patch. If you want, feel free to follow up with another to remove the leaking of the implementation detail. I do not fully understand what the alternate solution is... I do not think it would make sense to automatically apply the TK_PreserveContents trait to the base region when one calls ETraits.setTrait(); not sure if you are suggesting that.

lib/StaticAnalyzer/Core/CallEvent.cpp
182 ↗	(On Diff #53551)	Not sure, but this could mean to deal with cases where you pass a non const pointer to a class that has const fields..

This revision is now accepted and ready to land.Apr 23 2016, 4:35 PM

Closed by commit rL267413: [analyzer] Let TK_PreserveContents span across the whole base region. (authored by dergachev). · Explain WhyApr 25 2016, 7:50 AM

This revision was automatically updated to reflect the committed changes.

Revision Contents

Path

Size

cfe/

trunk/

lib/

StaticAnalyzer/

Checkers/

CStringChecker.cpp

2 lines

Core/

CallEvent.cpp

2 lines

test/

Analysis/

call-invalidation.cpp

47 lines

malloc.c

19 lines

Diff 54852

cfe/trunk/lib/StaticAnalyzer/Checkers/CStringChecker.cpp

Show First 20 Lines • Show All 914 Lines • ▼ Show 20 Lines	if (Optional<loc::MemRegionVal> MR = L->getAs<loc::MemRegionVal>()) {
// Invalidate this region.		// Invalidate this region.
const LocationContext *LCtx = C.getPredecessor()->getLocationContext();		const LocationContext *LCtx = C.getPredecessor()->getLocationContext();

bool CausesPointerEscape = false;		bool CausesPointerEscape = false;
RegionAndSymbolInvalidationTraits ITraits;		RegionAndSymbolInvalidationTraits ITraits;
// Invalidate and escape only indirect regions accessible through the source		// Invalidate and escape only indirect regions accessible through the source
// buffer.		// buffer.
if (IsSourceBuffer) {		if (IsSourceBuffer) {
ITraits.setTrait(R,		ITraits.setTrait(R->getBaseRegion(),
RegionAndSymbolInvalidationTraits::TK_PreserveContents);		RegionAndSymbolInvalidationTraits::TK_PreserveContents);
ITraits.setTrait(R, RegionAndSymbolInvalidationTraits::TK_SuppressEscape);		ITraits.setTrait(R, RegionAndSymbolInvalidationTraits::TK_SuppressEscape);
CausesPointerEscape = true;		CausesPointerEscape = true;
} else {		} else {
const MemRegion::Kind& K = R->getKind();		const MemRegion::Kind& K = R->getKind();
if (K == MemRegion::FieldRegionKind)		if (K == MemRegion::FieldRegionKind)
if (Size && IsFirstBufInBound(C, state, E, Size)) {		if (Size && IsFirstBufInBound(C, state, E, Size)) {
// If destination buffer is a field region and access is in bound,		// If destination buffer is a field region and access is in bound,
▲ Show 20 Lines • Show All 1,292 Lines • Show Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Core/CallEvent.cpp

Show First 20 Lines • Show All 171 Lines • ▼ Show 20 Lines	ProgramStateRef CallEvent::invalidateRegions(unsigned BlockCount,
if (!argumentsMayEscape())		if (!argumentsMayEscape())
findPtrToConstParams(PreserveArgs, *this);		findPtrToConstParams(PreserveArgs, *this);

for (unsigned Idx = 0, Count = getNumArgs(); Idx != Count; ++Idx) {		for (unsigned Idx = 0, Count = getNumArgs(); Idx != Count; ++Idx) {
// Mark this region for invalidation. We batch invalidate regions		// Mark this region for invalidation. We batch invalidate regions
// below for efficiency.		// below for efficiency.
if (PreserveArgs.count(Idx))		if (PreserveArgs.count(Idx))
if (const MemRegion *MR = getArgSVal(Idx).getAsRegion())		if (const MemRegion *MR = getArgSVal(Idx).getAsRegion())
ETraits.setTrait(MR->StripCasts(),		ETraits.setTrait(MR->getBaseRegion(),
RegionAndSymbolInvalidationTraits::TK_PreserveContents);		RegionAndSymbolInvalidationTraits::TK_PreserveContents);
// TODO: Factor this out + handle the lower level const pointers.		// TODO: Factor this out + handle the lower level const pointers.

ValuesToInvalidate.push_back(getArgSVal(Idx));		ValuesToInvalidate.push_back(getArgSVal(Idx));
}		}

// Invalidate designated regions using the batch invalidation API.		// Invalidate designated regions using the batch invalidation API.
// NOTE: Even if RegionsToInvalidate is empty, we may still invalidate		// NOTE: Even if RegionsToInvalidate is empty, we may still invalidate
▲ Show 20 Lines • Show All 927 Lines • Show Last 20 Lines

cfe/trunk/test/Analysis/call-invalidation.cpp

Show First 20 Lines • Show All 112 Lines • ▼ Show 20 Lines	void testPureConst() {
clang_analyzer_eval(global == -5); // expected-warning{{TRUE}}		clang_analyzer_eval(global == -5); // expected-warning{{TRUE}}

usePointer(&p);		usePointer(&p);
clang_analyzer_eval(x == 42); // expected-warning{{UNKNOWN}}		clang_analyzer_eval(x == 42); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(global == -5); // expected-warning{{UNKNOWN}}		clang_analyzer_eval(global == -5); // expected-warning{{UNKNOWN}}
}		}


		struct PlainStruct {
		int x, y;
		mutable int z;
		};

		PlainStruct glob;

		void useAnything(void *);
		void useAnythingConst(const void *);

		void testInvalidationThroughBaseRegionPointer() {
		PlainStruct s1;
		s1.x = 1;
		s1.z = 1;
		clang_analyzer_eval(s1.x == 1); // expected-warning{{TRUE}}
		clang_analyzer_eval(s1.z == 1); // expected-warning{{TRUE}}
		// Not only passing a structure pointer through const pointer parameter,
		// but also passing a field pointer through const pointer parameter
		// should preserve the contents of the structure.
		useAnythingConst(&(s1.y));
		clang_analyzer_eval(s1.x == 1); // expected-warning{{TRUE}}
		// FIXME: Should say "UNKNOWN", because it is not uncommon to
		// modify a mutable member variable through const pointer.
		clang_analyzer_eval(s1.z == 1); // expected-warning{{TRUE}}
		useAnything(&(s1.y));
		clang_analyzer_eval(s1.x == 1); // expected-warning{{UNKNOWN}}
		}


		void useFirstConstSecondNonConst(const void x, void y);
		void useFirstNonConstSecondConst(void x, const void y);

		void testMixedConstNonConstCalls() {
		PlainStruct s2;
		s2.x = 1;
		useFirstConstSecondNonConst(&(s2.x), &(s2.y));
		clang_analyzer_eval(s2.x == 1); // expected-warning{{UNKNOWN}}
		s2.x = 1;
		useFirstNonConstSecondConst(&(s2.x), &(s2.y));
		clang_analyzer_eval(s2.x == 1); // expected-warning{{UNKNOWN}}
		s2.y = 1;
		useFirstConstSecondNonConst(&(s2.x), &(s2.y));
		clang_analyzer_eval(s2.y == 1); // expected-warning{{UNKNOWN}}
		s2.y = 1;
		useFirstNonConstSecondConst(&(s2.x), &(s2.y));
		clang_analyzer_eval(s2.y == 1); // expected-warning{{UNKNOWN}}
		}

cfe/trunk/test/Analysis/malloc.c

	Show First 20 Lines • Show All 1,744 Lines • ▼ Show 20 Lines
	} //expected-warning{{Potential leak}}			} //expected-warning{{Potential leak}}

	void testEscapeThroughSystemCallTakingVoidPointer3(fake_rb_tree_t *rbt) {			void testEscapeThroughSystemCallTakingVoidPointer3(fake_rb_tree_t *rbt) {
	int data = (int )malloc(32);			int data = (int )malloc(32);
	fake_rb_tree_init(rbt, data);			fake_rb_tree_init(rbt, data);
	fake_rb_tree_insert_node(rbt, data); // no warning			fake_rb_tree_insert_node(rbt, data); // no warning
	}			}

				struct IntAndPtr {
				int x;
				int *p;
				};

				void constEscape(const void *ptr);

				void testConstEscapeThroughAnotherField() {
				struct IntAndPtr s;
				s.p = malloc(sizeof(int));
				constEscape(&(s.x)); // could free s->p!
				} // no-warning

	// ----------------------------------------------------------------------------			// ----------------------------------------------------------------------------
	// False negatives.			// False negatives.

	void testMallocWithParam(int **p) {			void testMallocWithParam(int **p) {
	p = (int) malloc(sizeof(int));			p = (int) malloc(sizeof(int));
	*p = 0; // FIXME: should warn here			*p = 0; // FIXME: should warn here
	}			}

	void testMallocWithParam_2(int **p) {			void testMallocWithParam_2(int **p) {
	p = (int) malloc(sizeof(int)); // no-warning			p = (int) malloc(sizeof(int)); // no-warning
	}			}

	void testPassToSystemHeaderFunctionIndirectly() {			void testPassToSystemHeaderFunctionIndirectly() {
	int *p = malloc(4);			int *p = malloc(4);
	p++;			p++;
	fakeSystemHeaderCallInt(p);			fakeSystemHeaderCallInt(p);
	// FIXME: This is a leak: if we think a system function won't free p, it			// FIXME: This is a leak: if we think a system function won't free p, it
	// won't free (p-1) either.			// won't free (p-1) either.
	}			}

				void testMallocIntoMalloc() {
				StructWithPtr *s = malloc(sizeof(StructWithPtr));
				s->memP = malloc(sizeof(int));
				free(s);
				} // FIXME: should warn here